Our GDPR commitment

We are committed to GDPR compliance across our Basware operations. We are also committed to helping our customers with their GDPR compliance journey by providing robust privacy and security protections built into our services and agreements.

What is GDPR?

From 25th of May 2018, the EU General Data Protection Regulation (GDPR) strengthens the rights of individuals regarding their personal data and seeks to unify local data protection laws across Europe. GDPR requires new or additional obligations on organizations in the EU processing personal data and organizations outside the EU processing personal data of EU residents.

What does GDPR mean to our customers?

Whenever GDPR applies to our customers, they must implement appropriate measures to ensure and demonstrate that any data processing is performed in compliance with the GDPR requirements. These requirements relate to principles such as lawfulness, fairness and transparency, accuracy, purpose limitation, data minimization, storage limitation, integrity and confidentiality. They also relate to fulfilling individuals’ rights with respect to their personal data. 

Our customers must furthermore ensure that the service providers they select to process personal data on their behalf guarantee their ability to implement appropriate measures so that the processing meets the GDPR requirements. 

What does GDPR mean to us in relation to our customers?

The measures we foresee assist our customers to meet the GDPR requirements when personal data, as part of business data, are processed through our services. Our GDPR assurances are summarized on this webpage. 

We are including this commitment into our agreement with our customers. If you are an existing customer, but didn't get our email on this matter, please see our communication to get our standard GDPR appendix executed and delivered to us.

This assists our customers in demonstrating their compliance with GDPR

Our 5 GDPR assurances

1. We are on top of it.

We are conducting an extensive GDPR compliance program. It is run by the Basware Data Protection Team that consists of privacy and security experts. The Team identifies our data processing activities, maintains our process register, performs data protection impact assessments, builds compliance documentation and is following up on compliance improvement actions. We are appointing a data protection officer where legally required. External experts audit and verify our GDPR compliance program. The Team also ensures that staff members processing personal data are trained to comply with our data processing policies and bound to confidentiality.

2. We follow customers’ instructions.

We process personal data contained in business data transmitted to us, only on behalf of our customers, to the extent necessary for our services and in accordance with our customers’ instructions. In legal terms, we are data processor and our customers are data controllers. After expiry of our services, we delete the personal data of the related customers from our systems, unless if otherwise required by law.

3. Our worldwide subprocessors are qualified.

We select qualified subprocessors to support the delivery of our cloud services. We are responsible for them and have appropriate data processing arrangements in place with them. We make information available about our current subprocessors and notify relevant customers in case we change any such subprocessor. Before we transfer personal data for processing to any subprocessor outside the EU, we provide for GDPR-proof appropriate safeguards.

4. Security of data is core.

Through our information security program, we maintain appropriate technical and organisational security measures designed to protect the security and integrity of data. Our security measures are based on globally accepted standards and described in a separate notice, available here. We audit our security measures. We notify our related customers in the unlikely event of a security breach on our systems of which we become aware.

5. We assist.

Our services allow our customers to respond to legitimate requests from individuals, mainly to rectify, block or erase their personal data. If this is not possible, we will assist. When our customers perform security and data protection assessments, security incident notifications or reply to consultations of supervisory authorities that relate to our services, and think we can be of any help, we will assist where we can. We also assist customers wanting to audit our compliance.

Further Information




Useful links: